Using the HTTP Server CA utility

  • Overview of certificate authority options
  • Before you begin
  • Install WebSphere Application Server
  • Ensure required MIME types are in the server configuration file
  • Create key databases and certificates using IKEYMAN
  • Copy CA key database and certificate into the CA utility directory
  • Export your CA key database into the CA utility
  • Accessing the HTTP Server CA utility
  • Using HTTP Server CA to process client and server certificates
  • Overview of CA process
  • Administrator tasks
  • Exporting the CA key database
  • Processing a certificate request
  • User tasks
  • Downloading a CA certificate to a Web browser
  • Requesting a browser certificate
  • Receiving an approved browser certificate
  • Webmaster tasks
  • Downloading a CA certificate for another server
  • Requesting a server certificate
  • Receiving an approved server certificate
  • Related Information
  • Overview of certificate authority options

    To conduct commercial business on the Internet, we recommend that you purchase a secure server certificate from an external certificate authority (CA) such as VeriSign. For a list of supported CAs, see Certificate authorities.

    If you act as your own CA, you can sign your own or anyone else's certificate requests. This is a good choice if you only need the certificates within your private Web network and not for outside Internet commerce. Clients must have browsers, such as Netscape Navigator or Microsoft Internet Explorer, that can receive your CA certificate and designate you as a trusted CA.

    To act as your own CA, you can use your server key management utilities (IKEYMAN and HTTP Server CA), or you can purchase certificate authority software from a CA provider.

    Note: If you expect to administer over 250 certificates, you may want to consider purchasing software from a CA provider. This limit is based on the number of certificate requests that can be stored in the CA key database. After storing 250 certificate requests, performance of the utility is very slow.

    Before you begin

    Install WebSphere Application Server

    Before using HTTP Server CA, you must install the WebSphere Application Server as your servlet engine.

    For installation instructions, see WebSphere Application Server Getting Started V2. You can access this book and other Application Server documentation from the WebSphere Application Server Web site.

    Ensure required MIME types are in the server configuration file

    For client certificates to downloaded correctly, the following AddType directives and MIME types must be included in the server configuration file:

    AddType .cer application/x-x509-user-cert 7bit   0.5 #User certificate
    AddType .der application/x-x509-ca-cert   binary 1.0 #Browser CA certificate
    

    These MIME types are included in the default server configuration file.

    Create key databases and certificates using IKEYMAN

    Before using the CA utility, create your server and CA key databases, server certificate, and self-signed CA certificate using IKEYMAN. For directions, see Creating a self-signed certificate.

    Note: As the Administrator, you can choose to have CA certificate requests processed automatically after they are submitted. Automatic processing eliminates the need for you to manually process each certificate request. If you want automatic processing, create a stash file for the CA key database password when you set up your CA key database using IKEYMAN.

    Copy CA key database and certificate into the CA utility directory

    After you create your CA key database and self-signed CA certificate, copy the cakey.kdb file into the CA utility directory.

    You can optionally choose to store your encrypted CA key database password in a stash file. If the stash file is in the same directory as the CA key database file (cakey.kdb), then all certificates that are sent to be signed by the CA utility will be approved automatically. If you create a stash file (cakey.sth), copy that file into the same directory as the cakey.kdb file.

    Export your CA key database into the CA utility

    Your cakey.kdb file on the server must be exported into the CA utility in a format that can be used by clients and servers. For detailed instructions, see Exporting the CA key database.

    Accessing the HTTP Server CA utility

    To access the HTTP Server CA utility, go to URL:

     http://your.server.name/CAServlet/Welcome.html
    

    Using HTTP Server CA to process client and server certificates

    Overview of CA process

    Your job as CA is to verify that a certificate should be issued for a client or server. You need to make sure that the person making the request has a legitimate claim to request the certificate. After you have verified a person's claim, you can create signed certificates using HTTP Server CA.

    The input to this process is a client or server certificate request. The output will be a certificate signed with your private key.

    After you have processed the client or server certificate:

    1. You will notify the client or server to download your CA certificate. Detailed steps are shown in Downloading a CA certificate to a Web browser and Downloading a CA certificate for another server.

    2. You will notify the client or server to download the certificate you have signed (CA-signed certificate) and receive it into their client or server operational key database. Detailed steps are shown in Receiving an approved browser certificate and Receiving an approved server certificate.

    After completing these steps, the client or server can use their CA-signed certificate to communicate securely with other HTTP Servers and Web browsers in your private Web network.

    Administrator tasks

    Exporting the CA key database

    Use these steps to export the CA key database (cakey.kdb) on the server in a format that can be used by browsers and servers. You do not need to repeat these steps after the initial setup of your certificate authority.

    Note: You must create the cakey.kdb file using IKEYMAN before you can use the CA utility. For directions, see Creating a self-signed certificate.

    To export your CA key database file for browsers and servers:

    1. Go to URL:
      http://your.server.name/CAServlet/Welcome.html
      

    2. From the Front Page of the utility, click Administration to access the Administration Tasks page.

    3. Select Export CA keys for browsers and enter your CA key database password.

    4. Click Process Now. This creates a file called cakey.der. You should get a message confirming that the CA key was successfully exported.

    5. On the Administration Tasks page, select Export CA keys for servers and enter your CA key database password.

    6. Click Process Now. This will create a file called cakey.txt. You should get a message confirming that the CA key was successfully exported.

    Processing a certificate request

    Notes:

    1. If you created a stash file for your CA key database password (cakey.sth), all browser and server certificate requests will be automatically approved.

    2. Ensure that certificate requests are processed over a secure connection.

    To process certificate requests from browers and servers:

    1. Go to URL:
      http://your.server.name/CAServlet/Welcome.html
      

    2. From the Front Page of the utility, click Administration to access the Administration Tasks page.

    3. Select Process pending requests or Process all requests, then click Process Now.

      If there are waiting requests:

      You can take action on one or multiple requests.

    4. Click Process. You should get a message confirming that the certificate database was successfully updated.

    For more detailed instructions, click Help.

    User tasks

    Downloading a CA certificate to a Web browser

    Before you can accept a browser certificate signed by HTTP Server CA, you must first download the CA certificate that identifies HTTP Server CA as a trusted certificate authority to your browser.

    To download a CA certificate:

    1. Go to URL:
      http://your.server.name/CAServlet/Welcome.html
      

    2. Under Browser Certificates, click Download CA certificate from the Webserver.

    3. Follow the instructions for downloading the cakey.der file to your workstation.

    After downloading the CA certificate, designate the certificate as trusted by your browser and mark the certificate as the default in your operational key database. Once the CA certificate is designated as a trusted CA by your browser, you do not need to perform this procedure again.

    Requesting a browser certificate

    Use the following steps to request a browser certificate from the CA of your private network:

    1. Go to URL:
      http://your.server.name/CAServlet/Welcome.html
      

    2. Under Browser Certificates, click Request a browser certificate.

    3. In the Common Name field, specify a name of your choice. Make a note of this name because you will need it later when you receive your signed certificate.

    4. Enter your password in the Challenge Phrase field. You will need to specify this password later when you download your approved certificate.

    5. Complete all the required fields. For additional information, click Help.

    6. Click Submit Requests to send the completed form to the CA for approval. The process of generating a private key will be started on your browser. This private key will be used with the certificate you are requesting.

    7. Click OK on your browser to create the private key.

    Depending on your Administrator's setup, your request will either be approved automatically or after the Administrator has reviewed it. If automatic approval occurs, you will not get any messages confirming that the request has been approved. You can go directly to Receiving an approved browser certificate and complete that procedure.

    If your Administrator has set up manual approval, you will receive a message confirming that the certificate request has been accepted. Check with your Administrator to determine when the approval will be processed. Approved certificates are sent to the HTTP Server CA database directory.

    Receiving an approved browser certificate

    Before you can receive an approved browser certificate, you must download the CA's certificate (cakey.der). For instructions, see Downloading a CA certificate to a Web browser.

    Use the following steps to receive an approved CA-signed browser certificate:

    1. Go to URL:
      http://your.server.name/CAServlet/Welcome.html
      

    2. Under Browser Certificates, click Receive the approved certificate.

    3. Enter the Common Name you specified on the certificate request form.
      Note:If you get a message that no record is found, you may have entered your common name incorrectly. If you have forgotten the Common Name you entered, check with your Administrator.

    4. Enter the password in the Challenge Phrase field, then click Submit Request.
      Note:If you get a message that no record is found, you may have entered your password incorrectly. If you have forgotten your password, check with your Administrator.

    5. If the certificate is found, the Download Certificate page will display, and you can download the certificate. To start the download process, click Click here to download your certificate.

      If not found, check with the CA Administrator to find out when the certificate will be processed.

    6. After you receive the approved certificate, your browser will be trusted by other clients and servers in your private network.

    Webmaster tasks

    Downloading a CA certificate for another server

    Before you can process any signed HTTP Server CA certificates on another Web server, you must first store your HTTP Server CA certificate in your target Web server's operational key database.

    To download a CA certificate for another server:

    1. Go to URL:
      http://your.server.name/CAServlet/Welcome.html
      

    2. Under Server Certificates, click Download CA certificate from the Webserver. The cakey.txt file is displayed.

    3. To import the CA key, create a *.txt file on your system, then copy the certificate file (cakey.txt) into your clipboard.

    4. Paste the certificate file from your clipboard into the new *.txt file you created.

    5. Store this CA certificate (*.txt file) in the operational key database of the target Web server using IKEYMAN. For detailed instructions, see Storing a CA's certificate.

    Requesting a server certificate

    Use the following steps to request a server certificate from the CA of your private network:

    1. Go to URL:
      http://your.server.name/CAServlet/Welcome.html
      

    2. Under Server Certificates, click Request a server certificate. The Server Certificate Request form appears.

      Use this form to send a server certificate request to the CA of your private network so that this HTTP Server will be trusted by the browsers and other HTTP Servers in the network. If there are other Web servers in your network, you can perform this task on behalf of the remote Web servers.

    3. In the Server Name field, specify a server name of your choice. Make a note of this name because you will need it later when you download your approved certificate.

    4. In the Organization field, specify an organization name of your choice.

    5. Enter your password in the Challenge Phrase field. You will need to specify this password later when you download your approved certificate.

    6. Complete all the required fields. For additional information, click Help.

    7. Browse your Web server's operational certificate request file (*.arm).
      QUESTION: HOW DO YOU BROWSE THIS FILE ON THE WORKSTATION?
      
      When the *.arm file is displayed on your screen, copy the contents of this file to your clipboard. Then go to your Web browser and paste this file into the section of the form that says: Please copy your certificate requests into the following area. You must paste your operational certificate request file (*.arm) into this space. This is the file that is sent to the HTTP Server CA to be signed.

    8. Click Submit Requests to send the completed form to the CA for approval.

    9. If your CA administrator has set up automatic approval, you can click on the Click here to download your certificate option to start the process. If automatic approval occurs, you will not get any messages confirming that the request has been approved. You can go directly to Receiving an approved server certificate and complete that procedure.

      If your CA administrator has set up manual approval, you should receive a message on your browser confirming that the certificate request has been accepted.

    Receiving an approved server certificate

    Before you can receive an approved server certificate, you must download the CA's certificate (cakey.txt). For instructions, see Downloading a CA certificate for another server.

    Use the following steps to receive an approved CA-signed server certificate:

    1. Go to URL:
      http://your.server.name/CAServlet/Welcome.html
      

    2. Under Server Certificates, click Receive the approved certificate.

    3. Enter the Server Name you specified on the certificate request form.
      Note:If you get a message that no record is found, you may have entered your server name incorrectly. If you have forgotten the Server Name you entered, check with your Administrator.

    4. Enter the password in the Challenge Phrase field, then click Submit Request.
      Note:If you get a message that no record is found, you may have entered your password incorrectly. If you have forgotten your password, check with your Administrator.

    5. If the certificate is found, the Download Certificate page will display, and you can download the certificate. To start the download process, click Click here to download your certificate.

      If not found, check with the CA Administrator to find out when the certificate will be processed.

    6. After the download process is complete, a signed certificate request file will display in your Web browser. Use your copy and paste function to copy this file to the clipboard. Paste the signed certificate into a *.cert file on your server.

    7. Receive the signed certificate into your server operational key database (*.kdb) using IKEYMAN. For detailed instructions, see Receiving a certificate signed by a trusted CA.

    8. After you receive the approved certificate, your server will be trusted by other HTTP Servers and Web browsers in your private network.

    Related Information

    Notes:

    1. If you are using certificate revocation lists (CRLs) for client authentication, you must purchase CA software from the IBM Registry and issue your own certificates.

    2. Financial and banking institutions have the option to purchase a special digital certificate that allows export editions of the server to use encryption levels of 128-bits or greater. For more information, see Stronger encryption option for financial and banking Web servers.

    Stronger encryption option for financial and banking Web servers

    When designated as a financial or banking Web server, the North American edition of the HTTP Server can exploit the strong encryption capabilities in the domestic and international versions of Netscape Navigator 4.x and Microsoft Internet Explorer 4.x. To use this function, you must purchase a special digital certificate from VeriSign called a Global Server ID.

    For regular Web transactions, the Netscape and Microsoft export browsers can use 40-bit encryption only for Secure Sockets Layer (SSL) transactions. However, when the server uses a VeriSign Global Server ID for its SSL certificate, the export browsers can use stronger levels of encryption of 128-bits or greater. This enables a server with a Global Server ID to communicate at the highest SSL encryption level with both domestic and international versions of the Netscape and Microsoft browsers.

    International financial and banking customers of the HTTP Server who want to use this function must contact IBM for an export license to obtain and use the North American edition of the HTTP Server.

    Certificate and URL requirements

    For an export browser to establish an SSL connection using 128-bit encryption:

    Browser requirements


    Table 2. Global server ID browser requirements

    Browser Domestic Export
    Netscape Navigator All versions work when the requirements listed in Certificate and URL requirements are met. Version 4.04 is the only version that supports 128-bit encryption.
    Internet Explorer All versions work when the requirements listed in Certificate and URL requirements are met. Version 4.0, upgrade 4.72.3110.8, is the only version that supports 128-bit encryption. To verify the upgrade number, click Help, then About Internet Explorer.

    For the most current information on encryption support and browser requirements, see the HTTP Server Web site.

    Top of Page